use cgi dir for better security
authorIan Kelling <ian@iankelling.org>
Fri, 26 Aug 2016 05:26:34 +0000 (22:26 -0700)
committerIan Kelling <ian@iankelling.org>
Fri, 26 Aug 2016 05:26:34 +0000 (22:26 -0700)
_site/cgi/comment [moved from _site/comment.rb with 92% similarity]
b.rb
build.rb
setup.sh

similarity index 92%
rename from _site/comment.rb
rename to _site/cgi/comment
index 14f1152..b1e8796 100755 (executable)
@@ -27,9 +27,12 @@ require 'fileutils'
 require 'time'
 require 'sqlite3'
 
-require_relative '../b'
+Dir.chdir(File.join(File.dirname(__FILE__), '..'))
+
+require '../b'
 include B
 
+
 # constanty things
 DEBUG = true
 CAPTCHA = -> {
@@ -77,11 +80,11 @@ EOF
 def do_captcha
   captcha_q = CAPTCHA.sample[0]
   puts "Content-type: text/html\n\n"
-  puts skel('comment.rb', "#{DN}/captcha", <<EOF, ' / <a href="/blog.html">blog</a> / comment-captcha')
+  puts skel("#{DN}/captcha", <<EOF, header: ' / <a href="/blog.html">blog</a> / captcha')
 <p>Hello friend. I haven't read a post from #{IP}, and I only remember for a few months, so:</p>
 <p>#{captcha_q}</p>
 
-<form action="/comment.rb" method="post">
+<form action="/cgi/comment" method="post">
   <input class="misc" type="text" name="url">
   <input name="goto" type="hidden" value="#{GOTO}">
   <input name="question" type="hidden" value="#{captcha_q}">
@@ -106,7 +109,6 @@ def fail(msg)
 end
 
 def redir
-  File.write('/tmp/x', GOTO)
   puts 'Status: 302 Found'
   puts "Location: #{GOTO}#comment-section\n\n"
   exit(0)
@@ -126,18 +128,18 @@ if cgi.has_key?('goto')
   GOTO = cgi['goto']
 else
   GOTO = '/'
-  fail['redir to /']
+  fail('redir to /')
 end
 
 if (cgi.has_key?('url') && cgi['url'] != "") || ! cgi.has_key?('comment')
-  fail["comment not in form or url in form. cgi.params: #{cgi.params}"]
+  fail("comment not in form or url in form. cgi.params: #{cgi.params}")
 end
 
 COMMENT_TXT = cgi["comment"]
 
 
 if COMMENT_TXT.length > 1000 or GOTO.length > 150
-  fail['length of comment or goto is too great']
+  fail('length of comment or goto is too great')
 end
 
 
@@ -154,12 +156,12 @@ end
   found = false
   Dir.foreach('blog') do |entry|
     next if ['.','..'].any? { |f| f == entry }
-    if GOTO == 'blog/' + entry
+    if GOTO == '/blog/' + entry
       found = true
       break
     end
   end
-  fail['goto entry not found'] unless found
+  fail('goto entry not found') unless found
 }[]
 ######### end error checking & arg parsing ########
 
@@ -194,18 +196,20 @@ SQL
 
 unless state
   older_date = NOW - DAY*2
-  last_moderated = $db.execute(<<-SQL, [older_date])[-1][0]
+  last_moderated = $db.execute(<<-SQL, [older_date])[-1]
   select date from c
   where ip = '#{IP}' and (
     state = 'moderated' or
     (date < ? and (state = 'timed' or state = 'known')))
 SQL
-  last_good = $db.execute(<<-SQL, [older_date])[-1][0]
+  last_moderated = last_moderated[0] if last_moderated
+  last_good = $db.execute(<<-SQL, [older_date])[-1]
   select date from c
   where ip = '#{IP}' and (
     state = 'picked' or
     (date < ? and (state = 'timed' or state = 'known')))
 SQL
+  last_good = last_good[0] if last_good
   if last_moderated && last_good
     if last_good > last_moderated
       state = 'known'
diff --git a/b.rb b/b.rb
index 511ac8d..2a612a6 100644 (file)
--- a/b.rb
+++ b/b.rb
@@ -49,6 +49,7 @@ module B # blog module
   end
 
   def fwrite(output_path, string)
+    output_path = File.join('./', output_path)
     FileUtils.mkdir_p(File.dirname(output_path))
     File.write(output_path, string)
   end
@@ -161,11 +162,11 @@ EOF
     b = File.basename(file,'.md')
     # date is in the format: YYYY-MM-DD-
     date = Time.parse(b[0..DATE_LEN])
-    rel_path = "blog/#{b[(DATE_LEN + 1)..-1]}.html"
+    rel_path = "/blog/#{b[(DATE_LEN + 1)..-1]}.html"
     comments = $db.execute <<-SQL, [WAIT_DATE]
       select comment, date from c
       where page = '#{rel_path}' and (
-       state = 'picked' or state = 'known'
+       state = 'picked' or state = 'known' or state = 'timed'
        or (state = 'waiting' and date < ?))
 SQL
     # get earliest comment. earlier ones stored in git will also be
@@ -221,7 +222,7 @@ EOF
         comment_html("Note: there #{text} pending approval.", NOW)
     end
     com_section = <<-EOF
-      <form class="comment" action="/comment.rb" method="post">
+      <form class="comment" action="/cgi/comment" method="post">
         <input class="misc" type="text" name="url">
         <input name="goto" type="hidden" value="#{rel_path}">
         <textarea rows="10" name="comment" placeholder="markdown" maxlength="1000"></textarea>
@@ -270,7 +271,7 @@ EOF
           footer: footer_extra,
           comments: com_section,
           description: description)
-    url="#{DURL}/#{rel_path}"
+    url="#{DURL}#{rel_path}"
 
 
     # following from https://creativecommons.org/choose,
index 4a6c268..4025eef 100755 (executable)
--- a/build.rb
+++ b/build.rb
@@ -84,6 +84,8 @@ stdpage('blog', <<EOF)
 </ul>
 EOF
 
-stdpage('resume', md_to_html(File.read('../resume.md')))
+if File.exists? ('../resume.md')
+  stdpage('resume', md_to_html(File.read('../resume.md')))
+end
 
 stdpage('favorite-stuff', File.read('../favorite-stuff.html'))
index 3230bba..66953c5 100755 (executable)
--- a/setup.sh
+++ b/setup.sh
@@ -20,7 +20,8 @@
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
-cd "${BASH_SOURCE%/*}"
+script_dir=$(readlink -f "${BASH_SOURCE%/*}")
+cd "$script_dir"
 
 domain=${1:-iankelling.org} # use argument for testing site
 gitroot=/a/bin/githtml
@@ -91,6 +92,11 @@ apache-site - $domain <<EOF
   AddHandler cgi-script .py
 </Directory>
 
+<Directory "/var/www/$domain/html/cgi">
+  Options +ExecCGI
+  SetHandler cgi-script
+</Directory>
+
 # redirect some old paths when I was using jekyll.
 Redirect permanent /10-14-2014/On2-vote-results.html /blog/on2-vote-results.html
 Redirect permanent /09-29-2014/say-On2.html /blog/say-on2.html
@@ -178,4 +184,5 @@ gitweb_descriptions() {
 
 gitweb_descriptions
 
-./build.rb
+$script_dir/build.rb
+s lnf -T $script_dir/_site /var/www/$domain/html